API Reference

Two HTTP APIs are available for direct programmatic access to ELLIO. Both are described by OpenAPI 3 specifications and ship interactive request playgrounds in this site. Streaming integrations (Microsoft Sentinel TAXII, MISP feeds) use separate connector endpoints with their own credentials - see Connectors.

Threat Intelligence

CTI API

Look up an IP address against the ELLIO Deception Network. Returns classification, tags, ASN, geo, fingerprints, kill-chain phase, and observation history.

• GET IP lookup
• GET Extended IP lookup
• POST Bulk IP lookup

Browse the CTI API →

Blocklist Automation

EDL Management API

Programmatically manage IP rulesets, individual rules, batch operations, expirations, and Common Business Services. Pairs with every External Dynamic List you publish from the ELLIO platform.

• Rulesets & rules - CRUD & batch
• Expiration by time threshold
• IP membership checks
• Common Business Services browsing

Browse the EDL API →

Authentication

Both APIs accept the same API key in two ways - the X-API-Key header (recommended) or the apikey query parameter. Generate, scope, and rotate keys from the API keys page in the platform.

# Header (recommended)
GET /v1/cti/lookup/198.51.100.42
X-API-Key: <your-api-key>

# Query parameter
GET /v1/cti/lookup/198.51.100.42?apikey=<your-api-key>

The same key works against both APIs - the access level (Read Only / Read & Write) decides which mutations succeed. See the API keys reference for rotation patterns and audit details.

Where to go next

• First time? Start with the Blocklist Automation quickstart - it walks you through creating an EDL end-to-end, then shows where the API fits in.
• Streaming indicators into Sentinel? See the Microsoft Sentinel TAXII integration instead - TAXII 2.1 is a better fit than per-IP API calls for that use case.
• Looking for examples? ELLIO publishes open-source plugins and integrations on GitHub.